Audit deleted message for a mailbox with delegated access

If you have scoped the search to specific user (via the -UserId parameter), only audit log entries corresponding to operations performed by said user will be returned. If you want to limit the search to events performed against specific (shared) mailbox instad, you must filter on the MailboxOwnerUPN value. Unfortunately, we do not have a server-side method to do this, hence the recommendation is to use the -FreeText parameter instead. Alternatively, you can fetch all events and filter client-side.

Here's a note from the official documentation describing this behavior:

Use -UserIds to find activities performed BY a specific delegate user. Don't use -UserIds with the shared mailbox address, as this action doesn't return delegate activities performed IN the shared mailbox. For activities performed in the shared mailbox by any user (including delegates), use the -FreeText parameter as shown in other sections.

Deleted-item audit records for a mailbox with delegated access can be retrieved, but the search method determines whether delegate identities are visible.

1. Searching by User (UserIds) returns actions performed by that user, not all actions in the mailbox. It also does not return activities performed in shared mailboxes or by delegates on another mailbox.
2. To see all delete/move-to-Deleted-Items actions that occurred in a specific mailbox (including actions performed by delegates), search the unified audit log by the mailbox’s ExchangeGuid, not by UserIds:

Search-UnifiedAuditLog -StartDate <start> -EndDate <end> \
  -FreeText (Get-Mailbox <mailbox identity>).ExchangeGuid

This returns all mailbox-audit events for that mailbox. In the exported results:

• The mailbox that was acted on is identified by fields such as MailboxGuid and MailboxResolvedOwnerName.
• The actor (who performed the action) is identified by UserId in the main columns and by delegate-related fields inside AuditData, such as DelegateUserDisplayName and LogonUserSid.

3. If the goal is specifically to track deleted items in a shared or delegated mailbox, use a targeted query for delete operations and the mailbox identity:

Search-UnifiedAuditLog -StartDate <start> -EndDate <end> \
  -FreeText <******@domain.com> \
  -Operations SoftDelete,HardDelete,MoveToDeletedItems \
  -ResultSize 500

This query returns delete-related operations in that mailbox regardless of whether they were performed by the owner or a delegate. Delegate identities are visible in the audit data fields mentioned above.

4. Ensure mailbox auditing is enabled and configured to log the relevant actions for delegates and owners so that future delete/move events are captured:

Set-Mailbox <mailbox> -AuditEnabled $true \
  -AuditOwner @{Add="Move","MoveToDeletedItems","SoftDelete","HardDelete","Create"} \
  -AuditDelegate @{Add="SendAs","Move"}

Also verify that organization-wide auditing is not disabled:

Set-OrganizationConfig -AuditDisabled $false

With these settings and by querying via ExchangeGuid or mailbox FreeText, audit results will show which delegate deleted or moved items in the mailbox.

References:

• Search the audit log to investigate common support issues
• Investigate shared mailbox activities using audit logs
• Mailbox audit logging
• Mailbox audit log entries
• Manage mailbox auditing
• Use mailbox audit logs in Microsoft 365
• Search the audit log for mailbox activities in specific mailboxes
• Search the audit log for specific email messages